Solid password practice on Capital One's site? Don't bank on it

What's in your wallet? Definitely not a password manager

Capital One is facing criticism for using policies on its banking website that prevent the use of password managers.

Joseph Carrigan, a Reg reader and senior security engineer at the Johns Hopkins University Information Security Institute in the US, says he was trying to reset the password for his Capital One bank account recently when he found that its online portal prevented him from copying and pasting text into the password fields from his password manager.

While not being able to paste in passwords may seem like at worst an annoyance, Carrigan told El Reg that the policy has a seriously adverse effect on security. In particular, it prevents the use of a password manager that can generate a long, complex and unique passcode for the user.

"Imagine a user is accessing an account on this company’s page with a good password. The password is 20 to 30 characters in length and contains uppercase letters, lowercase letters, digits, and special characters," Carrigan explained.

"If the user can copy the password from their password manager to the site, changing the password is easy. However this site requires, by design, that the user manually enter the password."

If a user wants to change their password, they would have to be able to enter the code, by hand, at least twice (once to establish the new password and a second time to confirm it) in addition to the old password, all without any mistakes.

Rather than do that process with a long, secure password, users are more likely to pick a short password that is easy to remember, or just re-use the password from another site. Both of those are major infosec no-no's.

No, eight characters, some capital letters and numbers is not a good password policy

"The problem is that this incentivizes poor password hygiene on the part of the user," Carrigan said. "I think anything that pushes users in the direction of weak passwords is a defect."

Capital One did not return a Reg request for comment on the matter, but Carrigan says the bank's customer support told him the policy was by design.

In Carrigan's case, he said he was eventually able to get around the block by modifying the autofill settings on his password manager (he uses Password Safe), but the process would be rather complex for most users and just as time consuming as typing in the code by hand.

Either way, the bank is making it harder for users to set up and maintain a strong password in perhaps the place where they need it most. While this issue might not be the immediate danger of something like an SQL injection or cross-site scripting flaw, it could end up being just as risky for many of Capital One's customers.

And, of course, Capital One is far from the only website blocking cut'n'paste from its password fields – a fresh offender crops up every week if not every day – we kinda expected better from a bank. Let us know below in the comments, please, if you've clocked any major sites recently blocking password managers. ®